In my 2 decade career in cybersecurity, I have observed firsthand that while technology plays a significant role protecting organizations, the human element is equally crucial. It is often said that the most sophisticated security protocols can be undermined by a single click from an uninformed or careless employee. In this article, I aim to shed light on the often-overlooked ‘human factor’ and provide recommendations to help businesses bolster this weakest link in the cybersecurity chain.
The current threat landscape
The global cybersecurity landscape is complex and ever-changing, with new vulnerabilities and threats surfacing almost daily. We’ve come a long way in implementing Zero Trust Architectures, implementing advanced artificial intelligence (AI) algorithms, firewalls, intrusion detection systems, and more to safeguard our organizations. However, it’s startling to note that most security incidents are not solely the result of sophisticated hacking techniques, but are often aided by human error.
Human errors, like falling for phishing emails, weak password practices, or accidental data leakage, can make an organization’s fortified network vulnerable. These mistakes are not just limited to junior staff; even executives fall prey to such attacks. It’s evident that no one is immune, making human factors an urgent concern for every organization. For example, the recent MGM resorts breach was a result of simple social engineering. The threat actor tricked the help desk attendant into resetting a password without sufficient information.
The cost of negligence
Neglecting the human factor can result in considerable financial loss, damaged reputation, and loss of customer trust. Sometimes, the damage is irreversible. In the wake of an incident, organizations often realize they could have avoided the breach had they invested in adequate human-centric security measures.
Additionally, starting December 18, 2023, the SEC will require public companies to report material cyber incidents within four business days. This will bring greater transparency to investors and customers, and will also shine a spotlight on companies experiencing material breaches.
Strategies to Reduce Human-induced Risks
In a world saturated with cyber threats, focusing solely on technological solutions is akin to building a fortress but leaving the gate unguarded. In fact, Rupal Hollenbeck, President of Check Point, often says that cybersecurity is really about “people, process, and technology – in that order.” By elevating the awareness and understanding of the human factor in cybersecurity, organizations can build a more robust, comprehensive defense against cyber threats.
In my role as an Architect and Evangelist, I strongly advocate for the integration of human-centric strategies into your cybersecurity approach. Remember, the most effective security strategy is one that accounts for both machine and human vulnerabilities.
In my experience I have seen CISOs making certain changes to reduce this risk by doing following:
Phishing attacks
The art of deception is a hacker’s best tool. Employees often fall victim to emails or messages that appear genuine, but are designed to gather sensitive information or install malware. Most organizations keep their defense limited to corporate email and ignore the biggest threat vector around Mobile Threat Defense – protecting employees from falling prey to a texting or smishing attack via different chat applications or personal email running on the same mobile device. In fact, the average cost of a phishing breach is $4.76M. This clearly needs to be a focus for better protection.
Cyber training
Most organizations conduct a one-off phishing exercise to satisfy compliance needs and forget that cyber threats are continuously evolving. Employees must continuously update their defenses against these evolving threats.
A regular training on good cyber hygiene is very important for reducing the chances of a human error causing a breach. The good news is that there are many training options – from virtual escape rooms to phishing games to advanced cyber courses.
Credentials management
Security leaders across industries have the challenging task of ensuring that their organization’s digital assets are protected. One of the key aspects of this is password management. Here are some recommended best practices.
- Zero Trust Architecture: Adopt a zero-trust model where no user or system is trusted by default. All must go through verification and authentication, regardless of their location relative to the network perimeter
- Single Sign-On (SSO): Consider implementing SSO solutions to reduce the number of passwords an employee needs to remember. However, ensure that the SSO solution itself is extremely secure
- Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, usually involving something the user knows (password) and something the user has (a mobile device to receive a one-time code on either an Authenticator App or Text message)
- Periodic Audits: Conduct regular audits to ensure that password policies are being followed. Many modern systems allow admins to see if users are reusing passwords or if they are not changing them frequently enough.
- Account Lockout Policies: Implement an account lockout policy that temporarily locks accounts after a certain number of failed login attempts. This can thwart brute-force attacks, but should be balanced to not lock out legitimate users unintentionally.
- Password Expiry and Rotation: Regularly requiring users to change their passwords can prevent attackers from gaining prolonged access to an account. However, this needs to be balanced as very frequent changes can lead to poor password choices.
The non-technology changes or enhancements to reduce risk
Based on industry available data and surveys, CISOs and CEOs also take advantage of the following non-technology solutions to secure their organizations.
Implement a change control / management system: I can’t overstate the importance of implementing a multi-approval level change control system. In an era of complex cyber threats, the human element often becomes a vulnerability. A multi-tiered approval process allows us to add layers of scrutiny, involving varied roles from tech specialists to executives, effectively reducing single points of failure. This approach minimizes risks tied to human error and ensures alignment with our cybersecurity strategies. It serves as a vital checks-and-balances system, making our cyber-defense more resilient and adaptive to the evolving threat landscape.
Culture of Accountability
- Reward Programs: Implement reward programs for reporting vulnerabilities or potential risks
- Transparency: Maintain an open dialogue about the importance of security
Vendor Risk Management
- Due Diligence: Perform due diligence before onboarding new vendors. Ensure they adhere to your organization’s security standards.
- Continuous Monitoring: Regularly audit vendor security compliance.
Legal Framework
- Non-Disclosure Agreements (NDAs): Get legal contracts in place to protect sensitive information.
- Regular Audits: Ensure compliance with data protection laws and industry standards.
Incident Response Plan: In the ever-evolving landscape of cybersecurity threats, it is no longer a question of if a security incident will happen, but when. This makes having both an effective Incident Response Plan (IRP) and an in-house Red Team indispensable for any organization serious about its cybersecurity posture.